Hunton Retail Law Resource

This past week, several consumer actions made headlines that affect the retail industry.

FTC Jumps to Consumers' Defense in Trampoline Marketing Deception

On May 31, 2017, brothers Son Le and Bao Le agreed to settle FTC charges that their trampoline marketing deceived consumers by directing them to review websites that were not, but claimed to be, independent, and by failing to disclose financial interests when posting online product endorsements. The Le brothers created fictitious trampoline experts, including "Trampoline Safety of America" and the "Bureau of Trampoline Review," and built fake websites with fake expert reviews to induce customers to buy their trampolines. The administrative consent order prevents the Le brothers from engaging in such deceptive behavior and requires clear and conspicuous disclosure of any material connections between the reviewer and the product. 

On May 26, 2017, Alcoa Community Federal Credit Union (“Alcoa”), on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. (“Chipotle”). The case arises from a breach of customer payment card data. The putative class consists of all such financial institutions that issued payment cards, or were involved with card-issuing services, for customers who made purchases at Chipotle from March 1, 2017, to the present. Plaintiffs allege a number of “inadequate data security measures,” including Chipotle’s decision not to implement EMV technology. 

On June 1, 2017, the new Cybersecurity Law went into effect in China. This post takes stock of (1) which measures have been passed so far, (2) which ones go into effect on June 1 and (3) which ones are in progress but have yet to be promulgated.

If you are a retailer, you may have policies and procedures in place regarding who can speak on behalf of your company. Such policies may generally instruct employees not to speak to the press as a representative of the company, and to direct all media inquiries to a particular person or department. Similarly, if you are a retailer, you may have a policy in place that instructs employees to forward any reference requests to your human resources department. These commonplace policies allow retailers to control their public image and protect employee privacy, among other benefits. But, according to a recent decision by a National Labor Relations Board (“NLRB”) administrative law judge (“ALJ”), such policies may violate the National Labor Relations Act (“NLRA”) by interfering with, restraining or coercing employees in their right to engage in concerted activity.

Earlier this month, Jay Clayton was sworn in as Chairman of the Securities and Exchange Commission (“SEC”). He has begun assembling his front office staff, and wasted no time in appointing William Hinman as director of the Division of Corporation Finance and Robert Stebbins as general counsel. Each of the three were previously partners at prominent corporate law firms, and each has substantial experience in corporate governance, capital markets transactions and mergers and acquisitions.

Private equity investors face unique challenges when procuring or renewing their liability insurance programs. For example, investors typically must complete lengthy applications or sign warranty and representation letters from their prospective insurers that inquire into knowledge by any potential insured as to any acts or omissions that could potentially give rise to a claim. These overly broad, and often vague, inquiries are problematic for private equity investors who would theoretically have to interview every employee, manager or director at every subsidiary, fund ...

On May 23, 2017, various Attorneys General of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date. 

This past week, several consumer protection actions made headlines that affect the retail industry.

NAD Recommends Kauai Coffee Discontinue and Modify Compost Claims

This week, NAD released their recommendations in their review of Kauai Coffee’s environmental claims for their single-serve coffee pod products. Kauai Coffee’s ads claim that the pods are “100% compostable,” but fail to clearly disclose that the pods are certified compostable only in industrial composting facilities, and are not suitable for home composting. While the pods are certified compostable by the Biodegradable Products Institute (“BPI”), BPI specified in its certification of the pods that they will disintegrate “swiftly and safely in a professionally managed composting facility.” NAD recommended that Kauai Coffee discontinue certain claims, and modify others to include the qualifying language: “Compostable in industrial facilities. Check locally, as these do not exist in many communities. Not certified for backyard composting.” Kauai Coffee said it will comply with NAD’s recommendations.

A year ago, the United States Supreme Court held in Spokeo, Inc. v. Robins that a plaintiff must do more than plead a mere statutory procedural violation to establish standing; to plead an injury in fact, a plaintiff also must allege a harm that is both “concrete” and “particularized.” Two recent decisions by the U.S. Court of Appeals for the Eleventh Circuit—one involving a rare written dissent from the denial of a petition for rehearing en banc—demonstrate the continuing difficulties courts are facing in determining what constitutes a concrete injury under Spokeo. They suggest that the Eleventh Circuit is most likely to find standing for violations of statutes that are intended to protect personal privacy or create a right to information, although judges do not always agree as to which statutes fall within these categories.

As we previously reported, beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain’s National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as "WannaCry," disables the user’s computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through "phishing attacks," which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spreads to other computers on the network. One infected computer can spread this virus network-wide, and quickly.